This is a result of the fix for #18124. It's not an exact duplicate of #18165 probably which says that Content-Disposition should not be added for responses not in the 200-299 range. This is however a duplicate of #18164.
Alas, the Content-Disposition header is necessary for RFD protection. We've just updated the docs with information on that and there is also the CVE report.
A key assumption is that such Content-Disposition header doesn't affect REST API calls. However if typed into a browser there is the side effect. Could you confirm the impact of the Content-Disposition header in your case? Thanks.